Vault seal migration question

fram.souza14 · January 11, 2023, 9:25am

Hey team,

I recently migrate the vault unseal from Sharmir to the GCP Cloud auto unseal AND vault storage from GCP storage backend to Raft. However, I’m trying to generate a new root token using the Recovery Keys that I got when I first unsealed vault using the GCP master key. However, it’s not possible to do that using the GCP unseal keys.

Hopefully, I have the keys Sharmir Unseal keys, and using that I can generate new root tokens.

Should I be able to create root keys using the Recovery key from GCP auto unseal? The pods are been automatically unsealed using the GCP auto unseal, however, I was expecting to use the keys that were generated from GCP, not the old ones from Shamir.

maxb · January 11, 2023, 9:41am

Please explain more what you mean by this? Unsealing does not produce recovery keys.

This is expected behaviour. Following a seal migration to auto-unseal, the previous set of unseal keys move to being recovery keys.

Please note that the keys are no longer able to unseal Vault, and loss of the GCP KMS key will cause your Vault to be unrecoverable.

Recovery keys only allow privileged operations whilst the auto-unseal device is available, they do not allow recovery from key loss.

fram.souza14 · January 12, 2023, 10:35am

Hey, @maxb Let’s assume the following scenario.

I’ve migrated from Shamir to GCP auto unseal, and you mentioned, the previous set of unseal keys move to recovery keys meaning that, the Recovery keys were created when running vault operator init -migrate, and are not valid anymore in favor of the one recovered (Shamir).

It means that, if I need to create a new root token, I will have to use the old Shamir keys and not the ones generated from GCP auto unseal.

With that said, imagine a situation where these keys (Recovery Keys and root token) were stolen and there’s then a need of regenerating the Recovery keys and revoke the root token.

I went to the GCP KMS key management and rotate the keys. After that, I tried to create a new root token, however, I can only create that using the Old Shamir Keys, the ones that were stolen.

How should I proceed and make sure the old Shamir keys are not valid anymore? Only then I will be able to create new root token and revoke the old one that was stolen.

maxb · January 12, 2023, 3:43pm

That is not a valid command. operator init does not accept a -migrate option.

maxb · January 12, 2023, 3:50pm

Neither the recovery keys nor root tokens are managed in GCP KMS. Whatever you rotated there has no effect and no relevance to this theft scenario.

This is what the vault operator rekey -target=recovery command does.

No, normal best practice is that you only use the root token for initial setup, then revoke it, and never again generate a new root token, unless you accidentally lock yourself out and cannot fix it otherwise.